access list A mechanism by which routers can determine which packets should be forwarded and which should be blocked. Routers route packets to their destination by examining the destination address of packets received and then determining which port the packet should be forwarded to. However, sometimes packets should not be forwarded to their destinations at all or should be forwarded to different ports using criteria other than a simple destination address. For example, certain incoming packets may constitute a security hazard to the network and should be blocked and dropped. Load balancing may require that packets be distributed across multiple ports in round-robin fashion instead of delivered to a fixed address. And certain types of traffic have high priority and need special handling. Access lists are a mechanism for handling these issues and provide a packet filtering capability that enhances the power and functionality of routers. An access list is basically an ordered (sequential) series of rules or filters, each of which either permits or denies the flow of packets across an interface depending on the rule.s nature and the packet.s contents. When a packet arrives at an interface on which an access list has been created and applied, the rules in the list are applied to the packet in order from the top of the list downward. If the packet.s contents match the conditions in a rule, that rule is applied and the packet is either forwarded or dropped. If a rule does not apply, the next rule in the list is tried until either a match is found and the packet processed or the end of the list is reached and the packet is finally dropped (in other words, there is an implicit .deny all. at the end of every access list). You should consider several things when using access lists to filter packets through a router: . For an access list to function, it must first be created in the router.s memory and then explicitly assigned to a router interface. . When an access list is applied to an interface, the access list.s direction must be specified. That is, you must decide whether the access list will be applied to inbound traffic, outbound traffic, or both. . The order in which the rules are organized within an access list is important. Two access lists with identical rules but in different order can have significantly different effects. . Each rule either permits a matching packet to be forwarded or denies a packet from being forwarded. . By default, an access list implicitly denies everything. In other words, when a packet is being processed by an access list, if a match occurs that allows the packet to be forwarded, the packet is allowed to pass across the interface. If no match is found (the contents of the packet do not explicitly match any of the criteria specified in the rules within the access list), the packet is blocked from passing over the interface and is thus dropped by the router. The Internetwork Operating System (IOS) by Cisco Systems, the operating system used by all Cisco routers, has commands for creating access lists and applying them to an interface. IOS supports two different types of access lists: . Standard: A standard access list filters packets based only on their source address. . Extended: An extended access list filters packets based both on their source address and on a number of other criteria including destination address, protocol type, traffic priority, and application type. A simple example of an IOS access list rule that allows traffic from source address 172.16.15.33 to pass across a specified interface would be access-list 1 permit host 172.16.15.33 Here the number .1. specifies that this rule is part of the first access list created on the router, and all rules that have this number belong to the same list. Access list numbers identify what kind of access list is used (see the table). To take another example, if your network is class C and has addresses belonging to the 172.16.44.0 network, to allow stations on your network to have unrestricted access to the Internet through your packet-filtering router, you could use the rule access-list 1 permit 172.16.44.0 0.0.0.255 Note that 0.0.0.255 is the binary complement of the default subnet mask of your class C network (255.255.255.0). As a final example, the following access list blocks incoming traffic from the malicious host 133.16.1.11 but allows all other traffic to enter through the router: access-list 1 deny host 133.16.1.11 log access-list 1 permit any The log keyword specifies that all packets dropped from the malicious host will be logged in the router log and can be viewed using the IOS logging console. IOS access lists can be created using a simple ASCII text editor and transferred to the router using Trivial File Transfer Protocol (TFTP) or some other mechanism. The Interface command is used to apply an access list to an interface once the list has been created, and the Access-group command is used to specify the direction over the interface for which the list applies. One limitation of IOS access lists is that if you want to modify a list by removing or changing a statement in the middle of the list, you cannot. Instead you must create a new access list, remove the old one from the interface, and apply the new list to the interface. You can, however, add rules to the bottom of an existing list, if this meets your needs. To get around having to create an access list from scratch when you need to modify a rule, use TFTP to copy the existing router configuration to a text file on a workstation, modify the file, delete the original configuration on the router, and copy the modified configuration onto the router. IOS version 12 includes a new feature that allows for the creation and application of time-based access lists, which allows different access lists to be applied to routers at different times and days. Access lists are sometimes called access control lists, but this can be confusing because the term access control list (ACL) also refers to a mechanism for securing file system objects and other operating system objects. The table in this article shows that there can be only 100 possible access lists for each type of access list. In some circumstances (for example, with complex backbone routers) this is not sufficient, and you can use named access lists instead. Named access lists are referenced using an alphanumeric name instead of a number, and you can create as many of them as you need. Placement is an important issue to consider when applying access lists to ports. Standard access lists should be placed as close as possible to the destination, but enhanced access lists should be placed as close as possible to the source.